Initial commit (history squashed)

2025-10-07 10:14:21 +03:00
commit 016c5a3fe7
1132 changed files with 117842 additions and 0 deletions
--- a/etc/authority.yaml.sample
+++ b/etc/authority.yaml.sample
@@ -0,0 +1,71 @@
+# StellaOps Authority configuration template.
+# Copy to ../etc/authority.yaml (relative to the Authority content root)
+# and adjust values to fit your environment. Environment variables
+# prefixed with STELLAOPS_AUTHORITY_ override these values at runtime.
+# Example: STELLAOPS_AUTHORITY__ISSUER=https://authority.example.com
+
+schemaVersion: 1
+
+# Absolute issuer URI advertised to clients. Use HTTPS for anything
+# beyond loopback development.
+issuer: "https://authority.stella-ops.local"
+
+# Token lifetimes expressed as HH:MM:SS or DD.HH:MM:SS.
+accessTokenLifetime: "00:15:00"
+refreshTokenLifetime: "30.00:00:00"
+identityTokenLifetime: "00:05:00"
+authorizationCodeLifetime: "00:05:00"
+deviceCodeLifetime: "00:15:00"
+
+# MongoDB storage connection details.
+storage:
+  connectionString: "mongodb://localhost:27017/stellaops-authority"
+  # databaseName: "stellaops_authority"
+  commandTimeout: "00:00:30"
+
+# Bootstrap administrative endpoints (initial provisioning).
+bootstrap:
+  enabled: false
+  apiKey: "change-me"
+  defaultIdentityProvider: "standard"
+
+# Directories scanned for Authority plug-ins. Relative paths resolve
+# against the application content root, enabling air-gapped deployments
+# that package plug-ins alongside binaries.
+pluginDirectories:
+  - "../PluginBinaries/Authority"
+  # "/var/lib/stellaops/authority/plugins"
+
+# Plug-in manifests live in descriptors below; per-plugin settings are stored
+# in the configurationDirectory (YAML files). Authority will load any enabled
+# plugins and surface their metadata/capabilities to the host.
+plugins:
+  configurationDirectory: "../etc/authority.plugins"
+  descriptors:
+    standard:
+      type: "standard"
+      assemblyName: "StellaOps.Authority.Plugin.Standard"
+      enabled: true
+      configFile: "standard.yaml"
+      capabilities:
+        - password
+        - bootstrap
+        - clientProvisioning
+      metadata:
+        defaultRole: "operators"
+    # Example for an external identity provider plugin. Leave disabled unless
+    # the plug-in package exists under PluginBinaries/Authority.
+    ldap:
+      type: "ldap"
+      assemblyName: "StellaOps.Authority.Plugin.Ldap"
+      enabled: false
+      configFile: "ldap.yaml"
+      capabilities:
+        - password
+        - mfa
+
+# CIDR ranges that bypass network-sensitive policies (e.g. on-host cron jobs).
+# Keep the list tight: localhost is sufficient for most air-gapped installs.
+bypassNetworks:
+  - "127.0.0.1/32"
+  - "::1/128"